Task Father

Security checks across malware telemetry and agentic risk

Overview

This task-management skill is mostly coherent, but it needs Review because it can create persistent OpenClaw cron prompts and its cron-name handling can write or delete files outside the intended cron folder.

Review before installing, especially in shared or production-like OpenClaw workspaces. Use only simple cron names with letters, numbers, underscores, and hyphens; avoid slashes, absolute paths, and '..'. Inspect created OpenClaw cron jobs regularly, remove them when work is complete, and avoid placing secrets in generated task files or queues until path validation and confirmation controls are added.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs use of file reads/writes and shell commands (`python3`, `openclaw`) but does not declare permissions or boundaries for those capabilities. This is dangerous because an agent or user may invoke filesystem and shell actions with broader access than expected, increasing the chance of unintended modification of the workspace or host state.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill presents itself as a file-based task-state-machine generator, but it also performs external cron-management side effects through the openclaw CLI. This hidden expansion of authority is dangerous because users may trust it to only write local task files while it can also create or remove scheduled jobs that trigger future actions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Executing an external subprocess to manage scheduler state gives the tool powers beyond simple file generation, including persistence-like behavior via scheduled execution. In the context of an agent skill, this is more dangerous because scheduled jobs can continue triggering after the initial user interaction and may be overlooked during review.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents creating a registry, task folders, state files, scripts, cron files, and queue-state files under the workspace, but it does not warn users that running it will modify the filesystem. In a file-generating skill, silent persistence is risky because it can create durable state, overwrite files, or leave behind execution artifacts without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill includes commands to add and remove cron jobs but does not provide a clear warning that this can schedule background execution on the host. Scheduled jobs are more dangerous than one-time file edits because they create persistent, recurring behavior that may continue running after the user forgets about it, potentially executing prompts or scripts repeatedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Cron add/remove operations happen immediately with no confirmation, dry-run, or warning even though they modify external runtime state. This is risky because a mistaken or malicious invocation can silently create persistence or disrupt existing scheduled work, especially in an automation/agent environment where commands may be triggered programmatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal